Re: LSM Patch Additions for CAPP (C2) Audit Trails

From: Theodore Tso (tytsoat_private)
Date: Fri Jul 06 2001 - 17:36:25 PDT

  • Next message: David Wagner: "Re: Hooks, authority, MAC, the future and proposol"

    On Fri, Jul 06, 2001 at 08:55:00AM -0400, Stephen Smalley wrote:
    > 
    > Could you clarify about the capabilities module?  From your description
    > above, it sounds like Ted agreed that we shouldn't move the base
    > kernel logic out to a module, but it isn't clear if that also
    > includes the core capabilities logic.  If Ted indicated that we
    > shouldn't move even the core capabilities logic out into a module,
    > then we need to revert those changes, because we have already moved
    > some of that logic.
    
    What do you mean by "core capabilities logic" and "base kernel logic"?
    
    As I recall, what I said was that if people wanted to change the
    "capable" function so that it got called out to a module, that's the
    sort of thing which *could* be done via #ifdef.  Linus in general
    won't mind an #ifdef in a header file which changes something like
    capable() for its existing definition to one which gets implemented
    via a module.  There will be a minor performance hit by doing it in
    the module, caused by two things (1) the procedure activation cost,
    and (2) the fact that the entire kernel uses a single TLB entry, but
    each 4k page in module text requires its own TLB entry (and a
    potential TLB miss).  I doubt these issues will actually be a major
    issue, but then again, I didn't see a major advantage in doing it in a
    separate module, either.  Still if someone wanted to experiment with
    moving the capable() check to a module, it'd be pretty harmless to do
    it via an #ifdef CONFIG_XXX test.  I don't think moving it out to a
    module would be considered a major win or a major turnoff as far as
    deciding whether or not the patches were acceptable.
    
    If what you mean is by "core capabilities logic" is the code to manage
    the capability mask settings, sure that can be moved out to a module.
    (I assume that it will be possible to have modules linked directly
    into the kernel for those people who don't want to use modules, yes?)
    
    						- Ted
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Sun Jul 08 2001 - 23:03:29 PDT